Commit graph

8144 commits

Author SHA1 Message Date
Simon Butcher
63cb97e562 Add handlers for parameter validation in the sample programs
The sample programs require an additional handler function of
mbedtls_param_failed() to handle any failed parameter validation checks enabled
by the MBEDTLS_CHECK_PARAMS config.h option.
2018-12-11 12:28:56 +01:00
Simon Butcher
a646345e3f Add additional parameter validation tests for the AES module
This adds additional tests to validate the AES module parameter validation
checks which are enabled using the MBEDTLS_CHECK_PARAMS option.
2018-12-11 12:28:56 +01:00
Simon Butcher
5201e414aa Add optional parameter validation to the AES module
This adds additional and optional parameter validation to the AES module that
can be used by enabling the MBEDTLS_CHECK_PARAMS config.h option.
2018-12-11 12:28:56 +01:00
Simon Butcher
b4868034dd Add initial options and support for parameter validation
This function adds the additional config.h option of MBEDTLS_CHECK_PARAMS which
allows additional validation of parameters passed to the library.
2018-12-11 12:28:56 +01:00
Jaeden Amero
01b34fb316 Merge remote-tracking branch 'upstream-public/pr/2267' into development 2018-12-07 16:17:12 +00:00
Jaeden Amero
faafcd83a8 Merge remote-tracking branch 'upstream-public/pr/2223' into development 2018-12-07 16:16:24 +00:00
Jaeden Amero
fedb407a3f Merge remote-tracking branch 'upstream-public/pr/2208' into development 2018-12-07 16:16:04 +00:00
Jaeden Amero
52ed0b9030 Merge remote-tracking branch 'upstream-public/pr/2101' into development 2018-12-07 16:15:31 +00:00
Jaeden Amero
d07ef47150 Merge remote-tracking branch 'upstream-public/pr/2061' into development 2018-12-07 16:07:21 +00:00
Janos Follath
172ba63463 Add guard for MBEDTLS_ECP_INTERNAL_ALT
MBEDTLS_ECP_RESTARTABLE and MBEDTLS_ECP_INTERNAL_ALT are mutually
exclusive, can't work and shouldn't be compiled together.
2018-12-07 13:13:42 +00:00
Janos Follath
683c582530 Clarify alternative ECP calling conventions
Function calls to alternative implementations have to follow certain
rules in order to preserve correct functionality. To avoid accidentally
breaking these rules we state them explicitly in the ECP module for
ourselves and every contributor to see.
2018-12-07 13:13:30 +00:00
Jaeden Amero
60ca6e58b6 test: Make basic-build-test.sh see summary statuses
We've changed the behavior of "-v" to no longer output test summary
statuses. Update basic-build-test.sh to use the test runner's verbosity
option "-v 2", so that the basic-build-test.sh script can get the summary
statuses it needs.
2018-12-07 13:06:24 +00:00
Janos Follath
d2af46f1e6 Fix typo in ECP alternative documentation 2018-12-07 11:05:21 +00:00
Janos Follath
855def157f Add changelog entry for ECC hardware bugfix 2018-12-07 11:05:03 +00:00
Janos Follath
af6f2694a4 Fix ECC hardware double initialization
We initialized the ECC hardware before calling
mbedtls_ecp_mul_shortcuts(). This in turn calls
mbedtls_ecp_mul_restartable(), which initializes and frees the hardware
too. This issue has been introduced by recent changes and caused some
accelerators to hang.

We move the initialization after the mbedtle_ecp_mul_shortcuts() calls
to avoid double initialization.
2018-12-07 11:03:47 +00:00
Jaeden Amero
8ef1f48a52 Merge remote-tracking branch 'upstream-public/pr/2219' into development 2018-12-06 16:16:36 +00:00
Jaeden Amero
28efba0874 Merge remote-tracking branch 'upstream-public/pr/2218' into development 2018-12-06 16:15:01 +00:00
Jaeden Amero
e1b1a2c979 Merge remote-tracking branch 'upstream-public/pr/2181' into development 2018-12-06 16:11:49 +00:00
Jaeden Amero
9055a7d855 Merge remote-tracking branch 'upstream-public/pr/2175' into development 2018-12-06 16:09:58 +00:00
Jaeden Amero
3c0941ec64 Merge remote-tracking branch 'upstream-public/pr/2172' into development 2018-12-06 16:09:08 +00:00
Jaeden Amero
5b46fe774b Merge remote-tracking branch 'upstream-public/pr/2157' into development 2018-12-06 16:06:57 +00:00
Jaeden Amero
bc1cf5cd36 Merge remote-tracking branch 'upstream-public/pr/2131' into development 2018-12-06 16:04:55 +00:00
Jaeden Amero
a04617ec18 Merge remote-tracking branch 'upstream-public/pr/2125' into development 2018-12-06 16:02:31 +00:00
Jaeden Amero
c27e3420b9 Merge remote-tracking branch 'upstream-public/pr/2117' into development 2018-12-06 15:59:32 +00:00
Jaeden Amero
083681c832 Merge remote-tracking branch 'upstream-public/pr/2039' into development 2018-12-06 15:55:34 +00:00
Jaeden Amero
833c053b71 Merge remote-tracking branch 'upstream-public/pr/1982' into development 2018-12-06 15:54:21 +00:00
Jaeden Amero
41722ec29e Merge remote-tracking branch 'upstream-public/pr/1958' into development 2018-12-06 15:53:56 +00:00
Jaeden Amero
643e0027d6 Merge remote-tracking branch 'upstream-public/pr/1548' into development 2018-12-06 15:51:29 +00:00
Janos Follath
c3b680b028 Clarify requirements on handling ECP group IDs 2018-12-06 12:24:04 +00:00
Janos Follath
b8f27060e0 Add Changelog entry for the new ECDH context 2018-12-06 12:22:46 +00:00
Janos Follath
36c5f7fe9b ECDH: Hide context from tests
The tests for the ECDH key exchange that use the context accessed it
directly. This can't work with the new context, where we can't make any
assumptions about the implementation of the context. This commit works
around this problem and comes with the cost of allocating an extra
structures on the stack when executing the test.

One of the tests is testing an older interface for the sake of backward
compatibility. The new ECDH context is not backward compatible and this
test doesn't make any sense for it, therefore we skip this test in
non-legacy mode.
2018-12-06 12:22:46 +00:00
Janos Follath
3fbdadad7b SSL: Make use of the new ECDH interface
The SSL module accesses ECDH context members directly. This can't work
with the new context, where we can't make any assumption about the
implementation of the context.

This commit makes use of the new functions to avoid accessing ECDH
members directly. The only members that are still accessed directly are
the group ID and the point format and they are independent from the
implementation.
2018-12-06 12:22:46 +00:00
Janos Follath
948f4bedcc Debug: Add functions for ECDH contexts
The SSL module accesses ECDH context members directly to print debug
information. This can't work with the new context, where we can't make
assumptions about the implementation of the context. This commit adds
new debug functions to complete the encapsulation of the ECDH context
and work around the problem.
2018-12-06 12:22:46 +00:00
Janos Follath
5a3e1bfda0 ECDH: Make the implementation use the new context
The functionality from public API functions are moved to
`xxx_internal()` functions. The public API functions are modified to do
basic parameter validation and dispatch the call to the right
implementation.

There is no intended change in behaviour when
`MBEDTLS_ECDH_LEGACY_CONTEXT` is enabled.
2018-12-06 12:22:18 +00:00
Simon Butcher
fabc6001ff Clarify attribution for the Bleichenbacher's Cat fix 2018-12-01 22:43:08 +00:00
Janos Follath
52735ef2fe ECDH: Prevent direct access in non-legacy mode
Some sample programs access structure fields directly. Making these work is
desirable in the long term, but these are not essential for the core
functionality in non-legacy mode.
2018-11-30 14:21:35 +00:00
Janos Follath
c9c32f3f63 ECDH: Add flexible context and legacy flag
We want to support alternative software implementations and we extend
the ECDH context to enable this. The actual functional change that makes
use of the new context is out of scope for this commit.

Changing the context breaks the API and therefore it has to be
excluded from the default configuration by a compile time flag.
We add the compile time flag to the module header instead of
`config.h`, because this is not a standalone feature, it only
enables adding new implementations in the future.

The new context features a union of the individual implementations
and a selector that chooses the implementation in use. An alternative
is to use an opaque context and function pointers, like for example the
PK module does it, but it is more dangerous, error prone and tedious to
implement.

We leave the group ID and the point format at the top level of the
structure, because they are very simple and adding an abstraction
layer around them away does not come with any obvious benefit.

Other alternatives considered:

- Using the module level replacement mechanism in the ECP module. This
would have made the use of the replacement feature more difficult and
the benefit limited.
- Replacing our Montgomery implementations with a new one directly. This
would have prevented using Montgomery curves across implementations.
(For example use implementation A for Curve448 and implementation B for
Curve22519.) Also it would have been inflexible and limited to
Montgomery curves.
- Encoding the implementation selector and the alternative context in
`mbedtls_ecp_point` somehow and rewriting `mbedtls_ecp_mul()` to
dispatch between implementations. This would have been a dangerous and
ugly hack, and very likely to break legacy applications.
- Same as above just with hardcoding the selector and using a compile
time option to make the selection. Rejected for the same reasons as
above.
- Using the PK module to provide to provide an entry point for
alternative implementations. Like most of the above options this
wouldn't have come with a new compile time option, but conceptually
would have been very out of place and would have meant much more work to
complete the abstraction around the context.

In retrospect:

- We could have used the group ID as the selector, but this would have
made the code less flexible and only marginally simpler. On the other
hand it would have allowed to get rid of the compile time option if a
tight integration of the alternative is possible. (It does not seem
possible at this point.)
- We could have used the same approach we do in this commit to the
`mbedtls_ecp_point` structure. Completing the abstraction around this
structure would have been a much bigger and much riskier code change
with increase in memory footprint, potential decrease in performance
and no immediate benefit.
2018-11-30 14:21:35 +00:00
Janos Follath
fc03e8dfa9 ECDH: Adapt tests for mbedtls_ecdh_setup()
The recently added `mbedtls_ecdh_setup()` function is not used in the
tests yet. This commit adapts the tests to the new workflow.

Having done that, the old lifecycle is not tested anymore, so we add a
new test to ensure backward compatibility.
2018-11-30 14:09:57 +00:00
Janos Follath
f61e486179 ECDH: Add mbedtls_ecdh_setup()
In the future we want to support alternative ECDH implementations. We
can't make assumptions about the structure of the context they might
use, and therefore shouldn't access the members of
`mbedtls_ecdh_context`.

Currently the lifecycle of the context can't be done without direct
manipulation. This commit adds `mbedtls_ecdh_setup()` to complete
covering the context lifecycle with functions.
2018-11-30 14:09:57 +00:00
Janos Follath
89ac8c9266 ECP: Add mbedtls_ecp_tls_read_group_id()
`mbedtls_ecp_tls_read_group()` both parses the group ID and loads the
group into the structure provided. We want to support alternative
implementations of ECDH in the future and for that we need to parse the
group ID without populating an `mbedtls_ecp_group` structure (because
alternative implementations might not use that).

This commit moves the part that parses the group ID to a new function.
There is no need to test the new function directly, because the tests
for `mbedtls_ecp_tls_read_group()` are already implicitly testing it.

There is no intended change in behaviour in this commit.
2018-11-30 14:09:57 +00:00
Simon Butcher
51b8a2fa87 Merge remote-tracking branch 'restricted/pr/512' into development 2018-11-29 16:56:02 +00:00
Simon Butcher
b9eb7866eb Merge remote-tracking branch 'restricted/pr/535' into development 2018-11-29 16:54:51 +00:00
Simon Butcher
658618b6b2 Merge remote-tracking branch 'restricted/pr/516' into development 2018-11-29 16:53:51 +00:00
Gilles Peskine
50da016e5c Add changelog entry for mbedtls_mpi_write_binary fix 2018-11-29 12:46:05 +01:00
Gilles Peskine
056f19c79f Tweak RSA vulnerability changelog entry
* Correct the list of authors.
* Add the CVE number.
* Improve the impact description.
2018-11-29 12:45:01 +01:00
Gilles Peskine
c4a8017e3e mbedtls_ctr_drbg_update_ret: correct doc for input length limit
Unlike mbedtls_ctr_drbg_update, this function returns an error if the
length limit is exceeded, rather than silently truncating the input.
2018-11-26 19:26:22 +01:00
Gilles Peskine
5da0505842 Add ChangeLog entry for deprecation of mbedtls_xxx_drbg_update
Fixes ARMmbed/mbedtls#1798
2018-11-26 19:26:22 +01:00
Gilles Peskine
8220466297 Streamline mbedtls_xxx_drbg_update_seed_file
Refactor mbedtls_ctr_drbg_update_seed_file and
mbedtls_hmac_drbg_update_seed_file to make the error logic clearer.

The new code does not use fseek, so it works with non-seekable files.
2018-11-26 19:26:22 +01:00
Gilles Peskine
b7f71c8bc1 HMAC_DRBG: report all errors from HMAC functions
Make sure that any error from mbedtls_md_hmac_xxx is propagated.
2018-11-26 19:26:22 +01:00
Gilles Peskine
e0e9c573ad HMAC_DRBG: deprecate mbedtls_hmac_drbg_update because it ignores errors
Deprecate mbedtls_hmac_drbg_update (which returns void) in favor of a
new function mbedtls_hmac_drbg_update_ret which reports error.
2018-11-26 19:26:21 +01:00